b'\x0cLIMITED AUDIT OF THE FISCAL YEAR 2006\n    FEDERAL MANAGERS\xe2\x80\x99 FINANCIAL\n     INTEGRITY ACT SECTION 2 AND\n  SECTION 4 ASSURANCE STATEMENTS\n  REPORT NUMBER: A060224/A/F/F07003\n          NOVEMBER 1, 2006\n\n\n\n\n                  3\n\x0cNovember 1, 2006\n\nReply to     Andrew Patchan, Jr.\nAttn of:     Acting Assistant Inspector General for Auditing (JA)\n\nSubject:     Limited Audit of the Fiscal Year 2006 Federal Managers\xe2\x80\x99 Financial\n             Integrity Act Section 2 and Section 4 Assurance Statements\n             Report Number: A060224/A/F/F07003\n\nTo:          Lurita Doan\n             Administrator (A)\n\n             David L. Bibb\n             Deputy Administrator (AD)\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) limited\naudit of the General Services Administration\xe2\x80\x99s (GSA) Fiscal Year 2006 Federal\nManagers\xe2\x80\x99 Financial Integrity Act (FMFIA) Section 2 and Section 4 Assurance\nStatements. The assurance statement questionnaires prepared by the Regional\nAdministrators (RAs) and the Heads of Services and Staff Offices (HSSOs) are\nused by the Management Control and Oversight Council as a basis for\ndeveloping the Administrator\xe2\x80\x99s FMFIA Assurance Statement to the President and\nCongress. The objective of the audit was to determine whether the Section 2\nand Section 4 Assurance Statement questionnaires, as prepared by the RAs and\nthe HSSOs, adequately disclosed all known control weaknesses and non-\nconformances in the Agency\xe2\x80\x99s programs, operations, and systems.\n\nTo accomplish our objective we reviewed the FMFIA Section 2 and Section 4\nAssurance Statement questionnaires submitted by the RAs and HSSOs, internal\nand external audit reports, and the findings noted to date by\nPricewaterhouseCoopers LLP (PwC), an independent public accounting firm, in\ntheir audit of GSA\xe2\x80\x99s Fiscal Year 2006 Financial Statements.\n\nThe audit was performed in accordance with generally accepted government\nauditing standards from August through October 2006. However, we did not\nperform an assessment of the internal control structure over the agency\xe2\x80\x99s FMFIA\nevaluation and reporting process. Accordingly, we do not express an opinion on\nthe adequacy of the basis used in the preparation of the assurance statements\nsubmitted by the RAs and HSSOs.\n\x0c                             RESULTS OF AUDIT\n\nIn reviewing those management and systems control weaknesses reported in the\nFMFIA Section 2 and Section 4 Assurance Statement questionnaires as\nprepared by GSA management, the Agency senior officials reported weaknesses\nin the following areas: Compliance with Federal Financial System Requirements;\nHuman Capital Management; and Internal Control Issues at the Ft. Worth Office\nof Finance. In addition to these weaknesses, our review of audits performed by\nthe OIG identified issues relating to the Implementation of the Federal\nInformation Security Management Act and Required Background Investigations\nNot Completed for Contractors.\n\nCompliance with Federal Financial System Requirements\n\nThe Chief Financial Officer (CFO) and Deputy CFO both issued qualified Section\n4 Assurance Statements due to Compliance with Federal Financial System\nRequirements. The rationale behind the qualification was distributed across\nthree areas: 1) a need for significant clean-up of Unfilled Customer Orders and\nObligations, 2) the lack of integrated feeder systems for Pegasys, and 3)\ninconsistent data elements from the feeder systems. The report on GSA\xe2\x80\x99s\ncompliance with the Office of Management and Budget (OMB) Circular No. A-\n123, Appendix A, also noted high risk areas for each of the Services at GSA.\nThe report listed exceptions for the Federal Supply Service in Unfilled Customer\nOrders and Undelivered Orders, the Federal Technology Service had exceptions\nin Unassigned Funding and Non-Dial Tone Undelivered Orders and, the Public\nBuildings Service had exceptions in Unfilled Customer Orders, Delivered Orders\nUnpaid, and Undelivered Orders.\n\nShortage of Human Capital\n\nIn reviewing the Section 2 Assurance Statements we found 9 instances in which\na shortage in human capital was noted. However, only 1 of these 9 instances\nresulted in a qualified opinion. According to responses in the Section 2\nAssurance Statements, these shortages may be attributed to unfilled vacancies,\nan agency-wide hiring freeze, and employee buyouts.           In 2006, GSA\nimplemented a temporary hiring freeze for the Federal Technology Service,\nFederal Supply Service, and General Management and Administration staff for\norganizations funded through the Working Capital Fund. The concerns noted\nthroughout the Section 2 Assurance Statements was that the shortage of human\ncapital may have an effect on the ability to sustain and recruit new business\nopportunities, customer service, and the ability to meet performance\nrequirements.\n\n\n\n\n                                       2\n\x0cInternal Control Issues at Forth Worth Office of Finance\n\nAs reported in the Region 7 Section 2 Assurance Statement, the Ft. Worth Office\nof Finance issued a qualified assurance statement relating to internal controls.\nSpecifically, the assurance statement details inadequate internal controls to\npreclude overspending of client agency funding, a lack of timely close out of\ncontract payment files and prompt return of excess client funding, a lack of strong\nsystem internal controls related to the submission of financial data through FTS\xe2\x80\x99\nOrder Management Information System (OMIS), and lack of strong internal\ncontrols related to the timely reconciliation of PBS charge card logs.\n\nGSA\xe2\x80\x99s Implementation of the Federal Information Security Management Act\n\nAs required, the OIG performed the Fiscal Year 2006 review regarding GSA\xe2\x80\x99s\nprogress in implementing the Federal Information Security Management Act\n(FISMA). The purpose of FISMA is to provide a framework for securing Federal\ninformation systems. Although steps have been taken to address previously\nreported weaknesses, the auditors found instances where the Information\nSystem Security Officers (ISSO) and Information System Security Managers\n(ISSM) did not ensure that systems were properly secured. The auditors also\nfound that there is a need for improved policy and procedures to establish\nstandardized performance goals and measures for associates and contractors\nperforming ISSO and ISSM responsibilities, since these individuals do not\ntypically report directly to the Office of the GSA Chief Information Officer.\n\nRequired Background Investigations Not Completed for Contractors\n\nAs part of the OIG\xe2\x80\x99s FISMA Review of GSA\xe2\x80\x99s Information Technology Security\nProgram, the status of contractor background investigation was tested for ten\nsystems. In eight of the nine systems utilizing contractor support personnel\nreviewed, a number of security investigations had neither been completed and/or\nrequested as follows:\n\n    \xc2\x83   For the e-buy system, out of 94 contractor personnel, 12 background\n        investigations were completed and 82 were not completed.\n    \xc2\x83   For the USA Services/NCC system, for all 5 contractor personnel,\n        background investigations were not requested.\n    \xc2\x83   For the Data Gateway system, out of 5 contractor personnel, 1\n        background investigation was completed, 2 were not completed, and 2\n        were not requested.\n    \xc2\x83   For the FEDdesk system, out of 7 contractor personnel, 6 background\n        investigations were completed and 1 was not completed.\n    \xc2\x83   For the Region 5 PBS LAN system, out of 22 contractor personnel, 7\n        background investigations were completed and 15 were not completed.\n\n\n\n                                        3\n\x0c\x0c                    LIMITED AUDIT OF THE FISCAL YEAR 2006\n                        FEDERAL MANAGERS\xe2\x80\x99 FINANCIAL\n                         INTEGRITY ACT SECTION 2 AND\n                      SECTION 4 ASSURANCE STATEMENTS\n                      REPORT NUMBER: A060224/A/F/F07003\n                              NOVEMBER 1, 2006\n\n\nReport Distribution                                         Copies\n\nAdministrator (A)                                             3\n\nDeputy Administrator (AD)                                     3\n\nInspector General (J)                                         1\n\nActing Deputy Inspector General (JD)                          1\n\nActing Assistant Inspector General for Auditing (JA)          2\n\nAudit Operations Staff Office (JAO)                           1\n\nAssistant Inspector General for Investigations (JI)           1\n\nAudit Follow-Up and Evaluation Branch (BECA)                  1\n\n\n\n\n                                         5\n\x0c'